Top Nav

w3af – Web Application Attack and Audit Framework

Last updated: September 9, 2015 | 10,966 views

A pretty cool tool was released a while back called w3af ( Web Application Attack and Audit Framework ), a fully automated auditing and exploiting framework for the web. This framework has been in development for almost a year and has the following features:

Audit

SQL injection detection

XSS detection

SSI detection

Local file include detection

Remote file include detection

Buffer Overflow detection

Format String bugs detection

OS Commanding detection

Response Splitting detection

LDAP Injection detection

Basic Authentication bruteforce

File upload inside webroot

htaccess LIMIT misconfiguration

SSL certificate validation

XPATH injection detection

unSSL (HTTPS documents can be fetched using HTTP)

Discovery

Pykto, a nikto port to python

Hmap, http fingerprinting.

fingerGoogle, finds valid user accounts in google.

googleSpider, a spider that uses google.

webSpider, a classic web spider.

robotsReader

urlFuzzer

serverHeader, fetches server header

allowedMethods, gets a list of allowed HTTP methods.

crossDomain, get and parse the flash file crossdomain.xml

error404page, generate a regular expression to match 404 pages.

sitemapReader, read googles sitemap.xml and parse it.

spiderMan, using a localproxy and a human, find new URLs for auditing.

webDiff, find differences between a local and a remote directory.

wsdlFinder, find and parse WSDL and DISCO files.

The framework is extended using plug-ins and is completely written in Python.